What is the ‘Cloud Sovereignty Framework?

The European Commission has published a new ‘Cloud Sovereignty Framework’ (Cloud Sovereignty Framework), a document that transforms a vague political term - ‘sovereignty’ - into a concrete, measurable and enforceable set of rules. This framework is not just another policy paper; it is immediately applied in A €180 million procurement procedure for cloud services for all EU institutions. This move is a clear signal: for the EU, digital sovereignty is no longer an abstract ideal, but a hard contractual requirement.

Why a new framework for cloud sovereignty?

Until now, “sovereignty” in the context of cloud services has been a catch-all term. It raised questions about data location, the impact of foreign laws (such as the U.S. Cloud Act) and dependence on non-European technology suppliers.

For governments and public institutions, this lack of clarity is a significant legal and strategic risk. The Commission's new framework, developed by the Directorate General of Digital Services, aims to eliminate this ambiguity. It provides a uniform yardstick to determine the extent to which a cloud service is actually under European control.

The framework is based on existing European initiatives such as GAIA-X and the ENISA-cybersecurity framework.

The 8 pillars of sovereignty

At the heart of the framework are eight Sovereignty Objectives. A vendor is no longer judged solely on data storage, but on a much broader and deeper spectrum:

1. Strategic Sovereignty (SOV-1): The extent to which the provider is anchored in the EU legal, financial and industrial ecosystem (e.g. ownership structure, governance).
2. Legal & jurisdictional sovereignty (SOV-2): Exposure to foreign legislation (such as the US Cloud Act) and the enforceability of European rights.
3. Data & AI Sovereignty (SOV-3): The degree of control customers have over their data and AI models, including where data is processed.
4. Operational Sovereignty (SOV-4): The practical ability to manage, support and maintain technology independent of foreign control.
5. Supply chain sovereignty (SOV-5): The transparency and origin of critical components (hardware and software) and the degree of EU control over them.
6. Technological Sovereignty (SOV-6): The independence of the underlying technology, focusing on open standards and avoiding ‘vendor lock-in.
7. Security & Compliance Sovereignty (SOV-7): Ensuring that security operations (such as Security Operations Centers) and compliance controls are under EU jurisdiction only.
8. Ecological Sustainability (SOV-8): Long-term autonomy and resilience with respect to energy consumption and resource scarcity.

From “none” to “full” sovereignty: the 5 SEAL levels

The framework then defines five ‘Sovereignty Effectiveness Assurance Levels’ (SEALs) to classify the degree of sovereignty. This shows that sovereignty is not a binary ‘yes/no’ question, but a sliding scale:

• SEAL-0 (No Sovereignty): Full control by non-EU parties.
• SEAL-1 (Jurisdictional Sovereignty): EU law is formally applicable but limitedly enforceable in practice.
• SEAL-2 (Data Sovereignty): EU law is enforceable, but material non-EU dependencies remain.
• SEAL-3 (Digital Resilience): EU actors have meaningful influence, but there is still marginal control by non-EU parties.
• SEAL-4 (Full Digital Sovereignty): Technology and operations are fully under EU control, with no critical non-EU dependencies.

In the procurement process, the Commission sets a minimum SEAL level for each of the eight objectives. Tenderers who fail to meet this minimum level are excluded.

The ‘Sovereignty Score’: a weighted formula

In addition to the minimum SEAL thresholds, the Commission uses a ‘Sovereignty Score’ as an award criterion to qualitatively rank the bids. This score is calculated using a formula which assigns different weights to the eight objectives:

• Operational sovereignty (SOV-4): 20%
• Supply chain sovereignty (SOV-5): 20%
• Strategic sovereignty (SOV-1): 15%
• Technological Sovereignty (SOV-6): 15%
• Legal sovereignty (SOV-2): 10%
• Data & AI Sovereignty (SOV-3): 10%
• Security & Compliance (SOV-7): 10%
• Ecological sustainability (SOV-8): 5%

The weighting is significant. It assigns the highest weight to operational and supply chain independence. The relatively lower scores for ‘Legal’ and ‘Security’ (10% each) are explained in the document by the fact that these domains are already significantly covered by other safeguards in the procurement process.

Analysis: the future of the framework

Although the framework is currently designed for one specific (but very large) procurement, the impact is potentially much greater.

First, it provides an answer to the skepticism surrounding ‘sovereignty formulas. While the accuracy of such formulas in procurement processes can always be questioned, the true value of this framework lies not in the formula itself, but in the detailed definition of the eight objectives and their ’contributing factors. It forces suppliers to show color about their ownership structure , the origin of their hardware , the location of their support teams and their dependence on non-EU software.

Second, this framework will almost certainly serve as a de facto benchmark. Other European, national and local governments grappling with the same questions of sovereignty now have a detailed and thoughtful reference framework that they can copy or rely on for their own procurement.

This framework is designed to give direction to the European cloud market and prevent ‘sovereignty washing. Both European and non-European cloud vendors seeking to do business with the EU public sector will have to put their services against this yardstick.

Conclusion

The European Commission's Cloud Sovereignty Framework is an important step. It transforms an abstract political concept into a concrete set of legal, technical and operational requirements. For cloud vendors, it defines the rules of the game for the coming years. For public institutions in Belgium, it provides a powerful tool to ensure control over their digital infrastructure and manage legal risks.